Scott Culp Testimony on Cybersecurity and Vulnerability Management for U.S. House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census

Testimony Before the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census

House Committee on Government Reform

U.S. House of Representatives

June 2, 2004

Hearing on

“Cybersecurity and Vulnerability Management”

Chairman Putnam, Ranking Member Clay, and Members of the Subcommittee: Thank you for the opportunity to appear today. My name is Scott Culp, and I am a Senior Security Strategist at Microsoft. Delivering on the Trustworthy Computing Initiative is one of Microsofts top priorities, and improving the manageability of security patches is an important part of that work.

A troubling recent security trend has been the dramatic shortening of the time between the issuance of a patch that fixes a vulnerability and the appearance of a worm exploiting it. In just the past several years, this window has narrowed from hundreds of days in the case of NIMDA, to 26 days for Blaster, to 17 days for the recent Sasser worm. In the face of this trend, Microsoft is employing a defense-in-depth strategy.

First and foremost, Microsoft recognizes that the most effective improvement we can make with regard to patches is to require fewer of them, and we are making substantial progress in reducing security vulnerabilities in our software. But no software will ever be completely free of vulnerabilities, and so we are improving the entire patch management ecosystem.

Over just the past year, we have largely standardized the operation of our patches; significantly reduced their size; and reduced the need to reboot the system after applying them. In the next service packs for Windows XP and Windows Server 2003 , we will deliver new technologies that will help protect systems, even if the user has not installed all needed patches. In the longer term, we are developing breakthrough technologies that will enable systems to dynamically change their behavior when needed patches are missing, and automatically recognize and defend against attacks.

At the same time, are working to help raise federal agencies awareness of products and resources that address the requirements of the Federal Information Security Management Act. And we are providing improved training opportunities for all our customers, including continuing our twice-yearly Federal Security Summits.

We are also contributing to important security policy initiatives. Within just the past few months, Microsoft co-chaired a National Cyber Security Partnership task force that recommended important improvements in the entire software development lifecycle, including patch management. We also are working with BITS to address the financial sectors legacy and other needs and challenges.

These efforts and others underlie what we believe is the industrys leading incident response process. Our response to the recent Sasser worm illustrates this process.

On April 13, 2004 Microsoft published a security bulletin and patch addressing the vulnerability that Sasser ultimately exploited. Microsofts educational and engineering efforts over the preceding months contributed to a patch uptake rate that was 300% higher than it had been for last summers Blaster patch.

We provided information, guidance and recovery tools for our customers worldwide, including contacting US-CERT at the time of the release of the bulletin, and again when Sasser was discovered.

Our Anti-Virus Reward Program caused an individual to provide information to law enforcement that contributed to the arrest of the worms alleged author.

Ultimately, we believe these actions reduced the worms impact. But the fact that it occurred at all reminds us that we need to continue improving.

We all have roles to play in improving cybersecurity. As the Congress and the Administration address this topic, we suggest several actions, which we are eager to work with the government on:

First, we hope the Senate will ratify the Council of Europe Cyber Crime Treaty.

Second, our law enforcers are doing great work, but need more training and better equipment.

Third, government systems administrators would benefit from more intensive training in security.

Fourth, the Common Criteria process should be the primary information assurance certification process for government systems, and we support reforms to make it more efficient and cost-effective.

Finally, we support increased basic research in cybersecurity and computer forensics.

In the final analysis, a more secure computing environment is best achieved when industry leaders continue to innovate around security — to continuously improve the security of software products, help customers operate their networks more securely; and provide effective security and incident response processes.

I would like to thank the committee for this opportunity, and I look forward to your questions.